Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

3 Keys For More Effective Security Spend

New study models security costs to show how variables can affect the risk to ROI equation over time.

Security teams could get a whole lot more bang for their buck if CISOs spent their budgets more strategically.  A recent study by RAND Corporation sponsored by Juniper Networks pinpointed a number of areas that IT security can adjust to reduce the overall cost of managing risk in the enterprise.

Based on months of research and interviews of CISOs at over 1,000 organizations by RAND experts, the report lays out a framework that it claims is the first of its kind to chart the holistic costs of managing risk, factoring in not just the cost and probability of potential breaches and incidents, but also costs of defense.

The framework is based on 27 variables that RAND researchers could quantitatively prove influence the cost to an organization across a 10-year period. These include things like organizational characteristics, security program decisions and investments, as well as changes in the technology ecosystem.

According to RAND researchers, costs across the next decade are on track to rise 38 percent over the next decade for most organizations. If organizations can tweak their spending in critical areas, they may well be able to reduce that rate considerably.

"The security industry has struggled to understand the dynamics that influence the true cost of security risks to business," says Sherry Ryan, chief information security officer for Juniper. "What’s clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats.”

One consideration that organizations particularly need to be mindful of is one-to-one cost transference from risk to cost of defense. At the moment, one-third of reduced losses from mitigated risks is offset by increased costs of tools used to carry this out, both in acquisition of the tool, as well as an "Implicit reduction in the value of networking," according to the report.

Clearly, some variables can produce better cost avoidance results than others. Within the study, some key highlights bubbled to the surface. The following are three of the top findings that should impact the way organizations decide to allocate their security spend.


Software Vulns are Expensive

Make no bones about it, software flaws are expensive. When they developed the heuristic model of cyber security, RAND researchers found that when organizations are able to reduce the frequency of software vulnerabilities in half, they can cut the overall cost of cybersecurity by a whopping 25 percent.

"There need to be better mechanisms to convey the interests that organizations have in the quality of code to those responsible for getting the code into products," RAND's researchers wrote.


Beware the Half Life

According to RAND researchers, the cat-and-mouse game between security researchers and advanced attackers yields a sort of half-life of effectiveness for many types of detection-based security technology. Research showed that technologies that depended on things like anomaly detection, signature detection, and sandboxing tend to show effectiveness decreases of 65 percent over the course of a decade due to attacker countermeasures designed to circumvent them.

This reduction in effectiveness increases cost by 16.2 percent over the course of a decade.

Researchers explained that technologies focused on improving overall security hygiene and reduced risk exposure tend to be less prone to this half-life phenomenon. This includes things like network access control, firewall policy enforcement, network segregation, and patch management.

"As defenses are installed, organizations must realize they are dealing with a thinking adversary and that measures installed to thwart hackers tend to induce countermeasures as hackers probe for ways around or through new defenses," the report said. "This tit-for-tat exchange will eventually drive measures toward increasing expense, additional complexity, and, arguably, less reliability. Corporations should think about installing measures of the sort that are less likely to attract countermeasures."


Invest in Workforce

Meanwhile, the research done in conjunction with the report proves out something security experts have been saying for years—people are a key component in the recipe for security success, right alongside processes and technology. RAND reports that companies with the most effective security staff can cut the cost of cybersecurity by 19 percent in the first year and 28 percent by the 10th year that the model runs.

This shows an interesting dichotomy with the previous point about technological half-life, as RAND shows that even as hardware value decreases, good security analysts get better over time.

"With more cybersecurity employees, organizations can be more proactive in identifying potential incidents by putting people to work on log and event tracking, as well as on developing strategy and architecture for future systems," RAND's researchers said.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
6/16/2015 | 1:51:50 PM
Attacker countermeasures
I agree that " technologies that depended on things like anomaly detection, signature detection, and sandboxing tend to show effectiveness decreases of 65 percent over the course of a decade due to attacker countermeasures designed to circumvent them."

Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report from Verizon. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years. Unfortunately, current security approaches can't tell you what normal looks like in your own systems.

I think that we need to focus on protecting our sensitive data itself.

I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data–Centric Audit and Protection."  I recently read another interesting Gartner report, "Big Data Needs a Data-Centric Security Focus," concluding," In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach. Gartner is proposing data tokenization as an effective approach to security sensitive data.

I suggest that we should secure sensitive data across the entire data flow, including cloud, big data and enterprise systems. This approach can be very effective in addressing attacks against data, also from insider threats.

Ulf Mattsson, CTO Protegrity
User Rank: Apprentice
6/16/2015 | 6:16:56 AM
Security has been a critical issue these days.thanks for sharing such a valuable content waiting for more from you
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.